qemu-e2k/hw
Daniel P. Berrangé 00f4269743 display: ensure qxl log_buf is a nul terminated string
The QXL_IO_LOG command allows the guest to send log messages to the host
via a buffer in the QXLRam struct. QEMU prints these to the console if
the qxl 'guestdebug' option is set to non-zero. It will also feed them
to the trace subsystem if any backends are built-in.

In both cases the log_buf data will get treated as being as a nul
terminated string, by the printf '%s' format specifier and / or other
code reading the buffer.

QEMU does nothing to guarantee that the log_buf really is nul terminated,
so there is potential for out of bounds array access.

This would affect any QEMU which has the log, syslog or ftrace trace
backends built into QEMU. It can only be triggered if the 'qxl_io_log'
trace event is enabled, however, so they are not vulnerable without
specific administrative action to enable this.

It would also affect QEMU if the 'guestdebug' parameter is set to a
non-zero value, which again is not the default and requires explicit
admin opt-in.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20190123120016.4538-2-berrange@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2019-01-24 14:16:56 +00:00
..
9pfs xen: re-name XenDevice to XenLegacyDevice... 2019-01-14 13:45:40 +00:00
acpi hw/acpi: Use QEMU_NONSTRING for non NUL-terminated arrays 2019-01-17 21:10:57 -05:00
adc Include qapi/error.h exactly where needed 2018-02-09 13:50:17 +01:00
alpha avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
arm hw/arm/virt-acpi-build: Set COHACC override flag in IORT SMMUv3 node 2019-01-21 10:23:11 +00:00
audio hw/audio/marvell: Don't include unnecessary i2c.h header file 2019-01-10 09:51:42 +01:00
block hw/block/xen: use proper format string for printing sectors 2019-01-21 14:45:49 +00:00
bt hw/bt: Replace fprintf(stderr, "*\n" with error_report() 2018-01-22 09:51:00 +01:00
char hw/char/stm32f2xx_usart: Do not update data register when device is disabled 2019-01-21 10:23:10 +00:00
core tpm: add a "ppi" boolean property 2019-01-17 21:10:57 -05:00
cpu hw/cpu: introduce CPU clusters 2019-01-07 15:23:45 +00:00
cris hw/cris: Use the IEC binary prefix definitions 2018-07-02 15:41:15 +02:00
display display: ensure qxl log_buf is a nul terminated string 2019-01-24 14:16:56 +00:00
dma avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
gpio avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
hppa hw/hppa/dino: Remove unuseful code 2018-10-24 06:44:59 -03:00
hyperv hw/hyperv: fix NULL dereference with pure-kvm SynIC 2018-11-26 14:14:38 -02:00
i2c i2c-ddc: fix oob read 2019-01-11 11:45:00 +01:00
i386 acpi: build TPM Physical Presence interface 2019-01-17 21:10:57 -05:00
ide avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
input avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
intc ppc: Move spapr-related prototypes from xics.h into a seperate header file 2019-01-22 05:14:33 +01:00
ipack hw/ipack: Use the IEC binary prefix definitions 2018-07-02 15:41:12 +02:00
ipmi ipmi: Use proper struct reference for BT vmstate 2018-08-23 18:46:25 +02:00
isa configs: Add a CONFIG_SMC37C669 switch for the "smc37c669-superio" device 2018-10-24 07:33:44 +01:00
lm32 milkymist: Check for failure trying to load BIOS image 2018-11-06 11:32:14 +00:00
m68k hw/m68k: Use the IEC binary prefix definitions 2018-07-02 15:41:14 +02:00
mem memory-device: rewrite address assignment using ranges 2019-01-09 22:09:31 -02:00
microblaze hw/microblaze: s3adsp1800: Create an unimplemented GPIO area 2019-01-22 03:16:32 -08:00
mips target/mips: Update ITU to utilize SAARI and SAAR CP0 registers 2019-01-18 16:53:28 +01:00
misc MIPS queue for January 17, 2019 - v2 2019-01-21 17:53:28 +00:00
moxie trivial: Don't include isa.h if it is not really necessary 2019-01-09 11:24:35 +01:00
net ftgmac100: implement the new MDIO interface on Aspeed SoC 2019-01-21 10:23:11 +00:00
nios2 Support u-boot noload images for arm as used by, NetBSD/evbarm GENERIC kernel. 2019-01-07 15:46:20 +00:00
nvram trivial: Don't include isa.h if it is not really necessary 2019-01-09 11:24:35 +01:00
openrisc Change references to serial_hds[] to serial_hd() 2018-04-26 13:57:00 +01:00
pci msix: make pba size math more uniform 2019-01-14 19:31:04 -05:00
pci-bridge pci/shpc: perform unplug via the hotplug handler 2018-12-20 11:19:12 -05:00
pci-host pam: wrap MemoryRegion initialization in a transaction 2019-01-11 13:57:23 +01:00
pcmcia
ppc ppc: Move spapr-related prototypes from xics.h into a seperate header file 2019-01-22 05:14:33 +01:00
rdma hw/rdma: modify struct initialization 2019-01-19 11:01:33 +02:00
riscv sifive_uart: Implement interrupt pending register 2018-12-20 12:08:43 -08:00
s390x s390x/pci: add common function measurement block 2019-01-18 11:52:01 +01:00
scsi qemu: avoid memory leak while remove disk 2019-01-14 19:31:04 -05:00
sd hw/sd/sdhci: Don't leak memory region in sdhci_sysbus_realize() 2018-12-14 13:30:54 +00:00
sh4 avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
smbios hw/smbios: Move to the hw/firmware/ subdirectory 2018-12-19 16:48:16 -05:00
sparc trivial: Don't include isa.h if it is not really necessary 2019-01-09 11:24:35 +01:00
sparc64 hw/sparc64/niagara: Model the I/O Bridge with the 'unimplemented_device' 2018-10-24 06:44:59 -03:00
ssi hw/ssi/xilinx_spi: Use DeviceState::realize rather than SysBusDevice::init 2018-10-24 06:44:59 -03:00
timer trivial: Don't include isa.h if it is not really necessary 2019-01-09 11:24:35 +01:00
tpm tpm: clear RAM when "memory overwrite" requested 2019-01-17 21:10:57 -05:00
tricore hw/tricore: Use the IEC binary prefix definitions 2018-07-02 15:41:14 +02:00
unicore32 hw/input/i8042: Extract declarations from i386/pc.h into input/i8042.h 2018-03-12 16:12:48 +01:00
usb xen: re-name XenDevice to XenLegacyDevice... 2019-01-14 13:45:40 +00:00
vfio qemu/queue.h: typedef QTAILQ heads 2019-01-11 15:46:55 +01:00
virtio hw/virtio/virtio-balloon: zero-initialize the virtio_balloon_config struct 2019-01-21 17:20:36 +00:00
watchdog hw/watchdog/wdt_i6300esb: remove a unnecessary comment 2019-01-11 15:46:55 +01:00
xen xen: automatically create XenBlockDevice-s 2019-01-14 13:45:40 +00:00
xenpv xen: Replace few mentions of xend by libxl 2019-01-14 13:45:40 +00:00
xtensa target/xtensa: xtfpga: provide default memory sizes 2018-11-21 10:53:21 -08:00
Makefile.objs memory-device: introduce separate config option 2018-10-24 06:44:59 -03:00